Regulierung & Compliance
Private Cloud or SaaS? Why Data Sovereignty Is a Requirement for Banks, Not a Preference
Private cloud or SaaS for banking AI? Why data sovereignty, DORA, and BaFin requirements prevent many banks from using multi-tenant SaaS for customer data.
•
acceleraid Redaktion
4 min read
01
Acquire
Signale erkennen
02
Onboard
Aktivierung steuern
03
Grow
Next Best Action
04
Retain
Churn reduzieren
05
Reactivate
Potenziale zurückholen
Most software decisions in enterprises today default to SaaS: fast deployment, low upfront cost, automatic updates, scalable usage models. For many use cases, SaaS is the right choice.
For AI systems that process customer data of regulated European banks, the decision is more complex.
This article sets out clearly what requirements banks must place on the deployment architecture of their AI systems — and why private cloud or on-premises deployment is for many institutions not one option among several, but a regulatory and strategic necessity.
The Regulatory Starting Point
Banks in Germany and the EU operate under a dense set of requirements governing how customer data is handled:
GDPR and national data protection law: Personal data may only be transferred to third-party providers where an adequate legal basis exists and affected individuals have been sufficiently informed. Exporting personal data to AI infrastructure outside the EU — or to systems over which the bank lacks adequate control — carries regulatory risk.
DORA (Digital Operational Resilience Act): From January 2025, DORA requires EU financial institutions to actively manage risks from third-party ICT providers. This includes the ability to rapidly switch critical systems or operate them in their own infrastructure in an emergency.
BaFin BAIT / ZAIT: The German banking supervisor requires that outsourced IT systems are auditable, controllable, and can be brought back in-house if necessary. An AI system whose operation is entirely dependent on an external provider struggles to satisfy these requirements.
Banking secrecy: German banking secrecy (and equivalent rules in other EU member states) protects customer data from unauthorised access by third parties — including access by the cloud provider itself.
What "Control" Means in Practice
The central argument for private cloud or on-premises deployment is not distrust of particular vendors. It is the need for demonstrable control.
In concrete terms:
Data localisation: The bank knows at all times where its customer data is stored. It can demonstrate that no data is processed in jurisdictions outside the EU — or in areas accessible under the US CLOUD Act or equivalent regulations.
Access control: No external provider has access to the bank's raw data without explicit authorisation. In a multi-tenant SaaS model, this guarantee is harder to demonstrate.
Model control: The bank retains control over the model versions deployed. It can freeze a specific model state, audit it, and reproduce it for supervisory authorities. With external SaaS models that update automatically, this is barely achievable.
Audit trail: Every access to customer data, every model inference, every parameter change must be loggable. Private cloud deployments enable complete audit trails under the bank's control.
The Typical Misconceptions on Both Sides
Misconception 1: Private cloud is always more expensive This was true a decade ago. Today, specialised providers offer private cloud deployments on dedicated infrastructure or in the bank's own data centre environment at costs that are comparable with multi-tenant SaaS — or lower at higher data volumes.
Misconception 2: SaaS does not offer adequate security This is too blunt. There are SaaS solutions with SOC 2 certification, German data centres, and robust data protection agreements. The argument for private cloud is not the absolute security level but the demonstrable control that regulated environments require.
Misconception 3: On-premises is operationally unworkable Modern on-premises deployments look very different from what was meant by the term five years ago. Containerised solutions (Kubernetes, Docker) run on bank hardware at the same abstraction level as cloud infrastructure. Updates are automatable, maintenance overhead is predictable.
The Right Model for Different Requirements
Not every banking AI application has the same requirements. A clear-eyed assessment:
Multi-tenant SaaS acceptable: Anonymised benchmark data, market data feeds, publicly accessible enrichment sources without customer data.
Private cloud recommended: All applications using customer data in training or inference — CDP, propensity models, churn prediction, next-best-action, campaign automation.
On-premises required: Credit decision systems with regulatory high-risk classification, systems with access to particularly sensitive data (health, family status), institutions with very strict internal data protection policies.
What This Means for the Buying Decision
Banks evaluating AI systems today should not treat the deployment question as a secondary technical detail. It is a strategic decision that determines regulatory auditability, cost trajectories, and long-term autonomy.
ACCELERAID was built from the start for deployment in private cloud and on-premises environments. No multi-tenant model, no raw data outside the customer's controlled infrastructure, complete audit trails.